GhostNet: Why it's a big deal

April 15, 2009

Michael Kassner
Tech Republic
April 14, 2009

The Tibetan Government in Exile asked the
Information Warfare Monitor consortium to
investigate allegations of cyberspying. It
appears they’ve found evidence of spying plus a
whole lot more and that should concern all of us.

To begin, Information Warfare Monitor (IWM) is a
well-regarded research team consisting of the
SecDev Group and the Citizen Lab, Munk Center for
International Studies, University of Toronto. The
following skill set will explain why the Tibetan
government asked the IWM for help:

Operational Case Studies: Consisting of active
operational research employing a
cross-disciplinary fusion of intelligence
gathered at the field level with advanced network
monitoring/visualization techniques.

Analytical products: Generate case study data
that illustrate the strategic significance of
cyberspace and highlight the opportunities,
challenges, and threats implicit to a
militarization of cyberspace, including effects
generated by third-party actors.

From the beginning

This compelling story about the Dalai Lama and
the Tibetan Government in Exile started almost a
year ago. That’s when office workers began to
complain about computers that weren’t behaving
normally. To us IT types that may seem like
business as usual, yet it was the first clue of
something being drastically wrong.

After some initial troubleshooting by the Tibetan
IT personnel, the IWM group was called into help.
It didn’t take analysts from IWM long to
determine that several computers were indeed
victims of a Trojan program called Gh0st RAT. For
those interested, it’s an offspring of the famous Poison Ivy trojan.

Infection via e-mail

The next step was to figure out how the computers
were being compromised. IWM researchers
eventually determined that opening an attached
document (containing malware) was the catalyst
for becoming infected. I couldn’t find any
mention as to what dropper program was used. Moot
point I guess, as the goal was to successfully
get Gh0st RAT on the intended computer. The research paper did mention:

"Only 11 of the 34 anti-virus programs provided
by Virus Total recognized the malware embedded in
the document. Attackers often use executable
packers to obfuscate their malicious code in
order to avoid detection by anti-virus software.”

Even so, malicious attachments are a well-known
attack vector and that method shouldn’t have
worked, right? Maybe, except the attackers were
very creative. Using appropriate e-mail addresses
and realistically-named attachments like
“Translation of Freedom Movement ID Book for
Tibetans in Exile.doc”. I can’t honestly say that
I’d have been suspect of an e-mail like the following:

Even sneakier

Misleading the office workers became easier for
the attackers once several computers became
infected, simply because the attackers then have
authentic documentation and contact information:

"Once compromised, files located on infected
computers may be mined for contact information,
and used to spread malware through e-mail and
document attachments that appear to come from
legitimate sources, and contain legitimate documents and messages."

Something I didn’t think about was the
coincidental spreading of Gh0st RAT. Since the
attachments looked real and Gh0st RAT typically
doesn’t affect normal computer operations,
workers may have inadvertently sent the malicious
attachments to others, hastening the trojan’s propagation:

"It is therefore possible that the large
percentage of high value targets identified in
our analysis of the GhostNet are coincidental,
spread by contact between individuals who
previously communicated through e-mail.”

I’m not sure how you combat social-engineering;
it’s been around a long time and appears here to stay.

Sadly enough, that wasn’t the Tibetan system
administrator’s only problem. They had the all
too easy to subvert operating system
vulnerabilities to deal with. The report didn’t
offer any more detail, so I’m not sure whether
the attackers used zero-day exploits or if the computers weren’t fully updated.

What’s Gh0st RAT capable of?

Ghost RAT (Poison Ivy) is considered a Remote
Administration Tool, basically a remote access
program like VNC. Allowing the attacker almost
complete control over the victim computer. Poison
Ivy/Gh0st RAT is capable of the following:

* Files can be manipulated completely and the
attacker can upload/download files to and from the system.
* The registry can be viewed and edited.
* Active services can be viewed, suspended, or shut off.
* Enabled network connections can be determined and shut disabled.
* Installed devices can be viewed and some devices can be disabled
* Installed applications can be viewed and
entries can be deleted or programs uninstalled.

Being recently updated, Gh0st RAT has a few
additional features that make it an effective spy tool:

* Screenshots of the desktop can be taken,
* Web cams, microphones, and audio/visual
recording programs can be enabled to act as surveillance devices.
* Passwords and password hashes are saved.
* Key loggers can be used in conjunction with
other devices to steal information.

All and all, it appears to be an efficient remote
admin tool. If you aren’t convinced, check out
Symantec’s detailed video that explains Gh0st RAT’s capabilities.

Many Gh0st RATs equal GhostNet

I consider the discovery of the GhostNet to be
exemplary detective and forensic work. Initially
the IWM team didn’t know what to expect as they
worked their way from individual computers
infected with Gh0st RAT back to the GhostNet control servers:

"During this process we were able to find and
access web-based administration interfaces on the
control server identified from the OHHDL data.
These servers contain links to other control
servers as well as command servers, and so
therefore we were able to enumerate additional command and control servers.”

Once they had penetrated the control servers they
began to get an idea as to how many computers were members of the GhostNet:

"In total, we found 1,295 infected computers
located in 103 countries. We found that we were
able to confidently-on a scale of low, medium,
high-identify 397 of the 1,295 infected computers
(26.7%), and labeled each one as a high-value
target. We did so because they were either
significant to the relationship between China and
Tibet, Taiwan or India, or were identified as
computers at foreign embassies, diplomatic
missions, government ministries, or international organizations."

Further insight

I’d recommend listening to Jesse Brown’s (CBC.ca)
podcast titled "Exposing the world’s biggest
cyberspy ring“, as he interviews members of the
IWM team that were directly involved with the
project. I’d also like to recommend the IWM’s
official report titled “Tracking GhostNet:
Investigating a Cyber Espionage Network“, I
consider it to be an exceptional document,
offering proof as well as a definitive
explanation of the entire investigative process.
It’s the report that I’ve quoted numerous times in this article.

Final thoughts

It sounds like the Internet is slowly becoming a
war zone. How prevalent is this type of
electronic espionage? Who’s involved, or is it
easier to say who isn’t involved? Depressing
isn’t it. Odd as it sounds, I remain hopeful
because of organizations like IWM. Their hard
work is making the Internet a safer place.

TechRepublic’s IT Security e-mail newsletter
(delivered every Tuesday) is a great way to keep
on top of security issues related to Information
Technology. Please make sure to sign up.

Michael KassnerMichael Kassner has been involved
with with IT for over 30 years. Currently a
systems administrator for an international
corporation and security consultant with MKassner
Net. Twitter at MPKassner. Read his full bio and profile.